Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 4th week of May 2018

A new vulnerability was released in late May, for the DHCP client packages in Red Hat Enterprise Linux systems (CVE-2018-1111), particularly the NetworkManager integration script. The exploit leverages the WPAD option in a DHCP server, including the command to be executed in the option details. The proof of concept fits in a single tweet (https://twitter.com/Barknkilic/status/996470756283486209).

Red Hat has already address the vulnerability and encourages customers to update their systems.

We've added IDS signatures and the following correlation rule to detect this activity:

Remcos/Remvio is a Remote Access Trojan (RAT) that has been sold on the hacker underground and the Breaking Security website (which claims to be an ethical hacking company and cybersecurity researcher) for over a year. In addition to common RAT features, Remcos/Remvio has the ability to create “automation” tasks, which give the malicious actor the potential to exfiltrate data without having to login and do it manually. Breaking Security periodically updates the features and capabilities of their product, which is commonly used in malware campaigns against their will.

We've added IDS signatures and the following correlation rule to detect this activity:

System Compromise, Malware RAT, Remcos/Remvio

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including: